Protector Plus Download Antivirus
Home
Download Antivirus
Antivirus Products
Order Antivirus


Antivirus Software for Windows XP/2000/2003
Antivirus Software for Windows Me/98
Antivirus Software for Exchange 2000/2003
Antivirus Software for NetWare

W32/Bagle.AD

NameW32/Bagle.AD
AliasesW32/Bagle.ad@mm, W32/Bagle.AD, WORM_BAGLE.AD, W32.Beagle.Y@mm, Bagle.AD, Bagle, virus
Discovered on 5th July, 2004

 Virus Information - W32/Bagle.AD:

W32/Bagle.AD is a mass mailing worm. This worm infects Windows systems. The worm spreads through email and shared drives on the network.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected email will be any one of the following;

Re: Hi
Update
Re: Hello
Re: Yahoo!
Re: Document
Site changes
Re: Thanks :)
Re: Msg reply
Re: Thank you!
RE: Text message
RE: Incoming Msg
RE: Protected message
Re: Incoming Message
RE: Message Notify
Encrypted document
Protected message
Incoming message
Notification
Forum notify
Fax Message
Changes..

The body of the infected email will be the any one of the following;

See attach.
Read the attach.
Your file is attached.
Pay attention at the attach.
Please, read the document.
Your document is attached.
See the attached file for details.
Please, have a look at the attached file.
Check attached file for details.
Attached file tells everything.
Attach tells everything.
More info is in attach
Message is in attach
Check attached file.
Here is the file.

It carries any one of the following infected attachment;

Readme
Message
Updates
MoreInfo
text_document
Information
Document
Details
Info

The extension of the attachment may be any one of the following;

zip
exe
scr
com
cpl
hta
vbs

Upon execution of the attachment, the worm copies itself as LOADER_NAME.EXE in the Windows System folder. It drops LOADER_NAME.EXEOPEN and LOADER_NAME.EXEOPENOPEN which are copies of the worm.

It alters the windows registry at the following location to load itself during next startup;

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It also creates several mutex to ensure only one instance of the worm is running. It also terminates some variants of W32/Netsky.

• AdmSkynetJklS003
• [SkyNet.cz]SystemsMutex
• ____--->>>>U<<<<--____
• MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
• 'D'r'o'p'p'e'd'S'k'y'N'e't'
• _-oOaxX|-+S+-+k+-+y+-+N+-+e+-+t+-|XxKOo-_
• _-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

The worm also tries to terminate the processes of security related softwares.

To propagate itself, the worm scans the infected machine for the files having the following extensions and collects all the available email addresses;

.xml, .xls, .wsh, .wab, .uin, .txt, .tbb, .stm, .shtm, .sht, .pl, .php, .oft, .ods, .mbx, .jsp, .htm, .eml, .dhtm, .dbx, .nch, .msg, .mmf, .mht, .mdx, .cgi, .cfg, .asp, .adb.

The worm uses its own SMTP engine to mail itself to these email addresses.

Anti virus for Windows Download Now!

Home Page Download Antivirus Antivirus Products Order Antivirus

Copyright © 2005 Proland Software.All rights reserved

antivirus software, anti virus software, anti virus, download antivirus, download anti virus, free antivirus, free anti virus, antivirus, download, free, windows, windows xp, xp, sp2, windows me, windows 2000, 98, 95, nt, me, 2003, netware, anti-virus, virus, worm, trojan, protector, plus, proland, virus software, spyware